ESCALATED: 2FA not enforced on /profile/applications
HackerOne report #691477 by brdoors3 on 2019-09-10, assigned to hackerjuan:
Hi team,
I found one access control related to your feature 'Enforcing 2FA for all users' on https://gitlab.com/
POC
1 access one group and enforce the 2FA for all users
In this test I used one grace period of 1 hour
2 after 1 hour access again https://gitlab.com
The user will be redirected to https://gitlab.com/profile/two_factor_auth
3 try to access some other areas
All pages redirect to https://gitlab.com/profile/two_factor_auth (expected behavior)
4 access https://gitlab.com/profile/applications
The 2FA is not enforced on this page. I can create and delete applications without any 2FA active
POC video attached
Impact
In this scenario after grace period has elapsed one user can access and make any change on https://gitlab.com/profile/applications
Attachments
Warning: Attachments received through HackerOne, please exercise caution!